November 15, 2012

After pressure and press of a vulnerability that Skype has known about for a couple of months now, Microsoft has plugged a gaping hole that would allow an attacker to take over an account and see recent messages sent and received, without you even knowing the original account credentials.

TNW even published a step-by-step guide on how to reproduce the attack. In the meantime, Microsoft disabled the password reset capabilities in Skype while they investigated the vulnerability, and then fixed the hole to prevent further exploitation. They are now reaching out to all accounts affected, which demonstrates that their auditing capabilities are pretty good.

What is interesting here is that the primary cause for this hole was a lack of email validation and unique constraints for Skype account names against email addresses. In other words, new accounts could be created using an existing email account to sign up with Skype for a second time… with Skype emailing you a reminder of your original username. Because this method enables you to get a password reset token sent to the Skype app itself at the same time, this allows a third party to redeem it and claim ownership of your original username and thus account. Before the email would arrive to the original account holder.

Pretty interesting attack vector. Goes to show you the weaknesses in password reset mechanisms. We can learn something here.